Disaster Recovery practice / Move PDC to new hardware

I was attempting to simulate a disaster recovery scenario where I needed to replace my primary domain controller with new hardware.  I figure that this would be one of the more complex DR tasks to accomplish and wanted to know what I was up against.  This also played well with the need to transition my primary domain controller to new hardware.

Both servers are running Windows Server 2008 R2 Standard.  I do have a secondary DC actively running on the network.  The PDC also has DNS, DHCP, Radius and WDS running.  I have read many articles on how to transfer using DCPROMO, but since I am attempting to do a disaster recovery simulation, what if those servers are not available?

I have been performing regular full backups using Windows Server Backup and have one available.  My original idea was to run a restore on the new box and restore the old server settings to the new server.  Unfortunately, that didn't work.  Right now, I'm kind of at a loss.
Evan HinesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
There are many solutions out there that will allow you to go from one box to another,  but windows is not one of them. This is one reason to have multiple DCs. Ideally, I would have at least one virtualize DC which would make this easy.   In a worse case scenario, you could look at utools app,  umove (Google it)  which should allow you to restore ad recovered from a dead server or system state backup.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike KlineCommented:
That second DC you have is your best bet against disaster like Leew says.   What you are thinking about is a common scenario discussed after 9/11 and other disasters and what bigger organizations did were to setup DR/COOP sites in another regioin.  Do you have another office that you can place a DC at?


Evan HinesAuthor Commented:
Yes, I do have access to place a DC offsite.  So let's say my PDC goes down and is not repairable.  Would I promote the secondary DC (from offsite) and then replace the bad with a new machine?  The reaosn I ask is because my current secondary DC is virtualized.   This is, of course, not considering the utool app.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Mike KlineCommented:
So if the DC goes down or lets say worst case a a flood or something hits that data center and that DC is never coming back.

You would seize all the FSMO roles to the second DC.  You would cleanup that dead DC (metadata cleanup).  Make sure clients are pointing to the second DC for DNS (they should have at least two DNS entries anyway).  

So now you still have that one working DC.  Then yes you would replace that dead DC with another DC to always have at least two DCs in any production environment.   It is fine that the second DC is virtualized; the steps are the same.


Evan HinesAuthor Commented:
I've been doing a lot of thinking about this.  It seems like if I were to rely on the promotion of a backup DC to primary that the basic AD functionality would be there, but other services running only on the PDC would be lost, such as DHCP, Certificate Services, NPS and WDS (which are all services I am currently running on my PDC).  Using the provided Server backup application will only help if restoring to identical hardware.  The only hope of restoring to new hardware is with a tool like Umove from Utools.  Still even with it, it doesn't appear to capture NPS or WDS, from what I have read on its site.

Prior advice given to me was to have a primary DC as a physical box instead of a VM to minimize complications of getting the hypervisor to work correctly (i.e. boot) without a working DC.  So here's my thought; what if my PDC was a VM, the only VM on that hypervisor, and the hypervisor box was not part of my domain?  That way if something were to happen and I had a complete backup of the PDC VM, all I would need to do was to pull back the backed up .vhd and everything is golden.  My setup uses Hyper-V.

Now it's been a long day and this may not make any sense when I read this again in the morning, but are there any thoughts on that as a setup?

Part of this idea stems from the fact that I just purchased a new beast of a server to become my PDC that has been spec'd out to handle all those functions.  By moving the services not covered by Umove to another box will cause further stress on that machine.  So by virtualizing the PDC, that should remove the HAL restriction and a system restore to "identical hardware" would work just fine.  And by assigning nearly 100% of the resources to the new DC I'm still able to take advantage of all my horsepower.

Evan HinesAuthor Commented:
Adding to the idea for my current issue would be to use a P2V converter, as outlined in http://www.interactivewebs.com/blog/index.php/server-tips/converting-a-physical-windows-machine-to-a-hyper-v-virtual-machine-p2v-problem/ (at the bottom), to take my current physical PDC and convert it to a VM to them move it to my new server.
Lee W, MVPTechnology and Business Process AdvisorCommented:
1.  You don't have a PDC.  You have a DC that probably holds all the FSMO roles, but no PDC - PDCs were an NT 4 role... in Active Directory, everything is a DC.

2.  I haven't used the NPS (I assume you are referring to NAP; NPS is not something I hear of regularly if ever.  So I cannot comment on this.

3.  Certificate Services - I don't use them myself so I cannot comment on this.

4.  WDS - The store can be anywhere and those are just images anyway.  I THINK I've restored the store easily, but I could be misremembering.  While the images are important, I would suggest you export each image as you load them and store them someplace.  You can then re-import them later if you need to.

5.  I DO like a physical DC.  But one should be sufficient.  And I personally don't recall any reason why it has to hold the FSMO roles.  So, to that end, you can have a DC in the domain that's on a physical box and does nothing else

6.  DHCP - assuming this isn't an SBS based domain, you can have a second DHCP server and utilize a split-scope so that each server has half the address pool.  Either server can provide DHCP addresses and each should have enough to cover all clients (supernet if you have to).

7.  Not joining the Hyper-V host to the domain is fine... BUT, if you don't use the GUI version which requires a Windows Server license, you'll potentially have some headaches configuring the firewall (joining to a domain tends to ease the headaches).

8.  You DO NOT want an image based restore of a DC in a multi-domain controller environment.  Performing one CAN kill your active directory.  Microsoft doesn't support DCs being backed up by image.  Now, if you only have ONE DC, that should be fine...
Mike KlineCommented:
You can P2V a DC, you have to use the cold clone or offline method, we did it for all of our DCs with no issues (with cert services on them);

that is also discussed here   http://blogs.technet.com/b/askds/archive/2010/06/10/how-to-virtualize-active-directory-domain-controllers-part-1.aspx again never do an online P2V.  In our case our old DCs were going away


Evan HinesAuthor Commented:
Thank you both for the information.  I'm trying to come up with a solid plan to cover (nearly) all situations that I may encounter for DR with respect to my DC.  I have 2 DCs currently; 1 physical and 1 virtualized.  Next summer I will be adding a 3rd one to an offsite location, which will give me the distance I need.  The FSMO roles are currently on the physical DC, as are Certificate Services, DNS, DHCP, Network Policy and Access Services, Print Services and WDS.  If the DC with the FSMO roles becomes unusable, I will have backups created that I can use to restore on the same hardware.  However, if the same hardware becomes unavailable, the FSMO roles can be seized by another DC if necessary.  So in regards to just AD, things seem fine.  It's now an attempt to get my other services back running again.

Using Umove can solve Certificate Services, DNS and DHCP.  Network Policy and Access Services can be migrated, but it doesn't appear that it can specifically be backed up (http://technet.microsoft.com/en-us/library/ee791849(WS.10).aspx).  Print services are no big deal and WDS can also be backed up and rebuilt.  Since leew has recommended against peforming an image-based restore of a DC, I am now considering a different approach.

I am considering having my new box NOT be a DC, but instead run all the other services.  If I were to create one VM on my new box hosting all services of my current server except domain services, then I could have all those services backed up as a VM.  Then in a worst-case scenario where I need to rebuild all from scratch and new hardware, I can pull that VM backup and install it as a VM on new hardware without the hardware issues.  Once I move all my non-AD services off my current box, I can just keep it running basic AD services; the current box is fine, but just doesn't have the power to support all the other services.

Depending on my configuration, I may experience some migration issues when moving Network Policy and Access Services since it is linked to the AD on that same box.  And depending on how well Umove works on the Certificate Services that may be up in the air too.

Any thoughts on that idea?  Thanks in advance.
Evan HinesAuthor Commented:
Just wondering if anyone had any thoughts on my previously posted suggestion?
Mike KlineCommented:
I like the idea of having the member server run the other services.   I've never used or tested umove so can't really comment on that product personally.


Evan HinesAuthor Commented:
I ended up keeping my original box as the DC with FSMO roles, certificate services, DNS and print services.  I moved DHCP, Radius and WDS to my new virtualized server.  The migration process of DHCP was simple (except I had to reconfigure the helper address on switches).  The migration of Radius service was also simple (except I had to add the proper certificate to be allowed by Active Directory)m. The migration of WDS is still giving me fits, but I think it to has to do with the certificates.

The results were night and day. My users experienced a drastic speed and reliability improvement.  And the process of transferring those services provides me with another method of backing those services if my backed up image fails.

As for backing up certificate services my plan is to do a P2V conversion of that server so it's all virtualized, then reinstall the box as a basic DC.

Thanks all for the help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.